April's Patch Tuesday to fix two critical flaws in Windows, IE

April's Patch Tuesday to fix two critical flaws in Windows, IE

Summary: Microsoft will later on this month fix nine flaws in total, including two critical vulnerabilities in Internet Explorer and all versions of Windows.

SHARE:
TOPICS: Security, Microsoft
43

In this month's roundup of security flaws, Microsoft said it will patch nine vulnerabilities in total, two of them rated "critical."

Screen Shot 2013-04-05 at 08.40.25

As usual, little information is provided about the flaws to ensure attackers can't exploit the flaws in advance of the upcoming release. But in today's advanced security bulletin, the software giant warns of flaws in both Windows, Internet Explorer, Microsoft Office and some of its server software.

The first critical flaw affects all versions of Internet Explorer, including: Internet Explorer 6, 7 and 8 on Windows XP; Internet Explorer 7, 8 and 9 on Windows Vista; and Internet Explorer 8, 9 and 10 in Windows 7. It also affects Internet Explorer 10 on Windows 8 and Windows RT-based tablets.

The vulnerability will fix a flaw that allows a drive-by attack, which hackers can exploit to attack machines running the software using malware-laden websites.

The second critical update affects Windows XP (Service Pack 3), Windows Vista (Service Pack 2) and Windows 7 — but not Windows 8 or Windows RT-based devices, such as Surface tablets. The patch will fix a flaw that allows an attacker to elevate privileges, such as from the more secure "user" to "administrator" privileges, opening up the core system files to attack and thus a greater scope for malware injection.

It's likely that, in line with previous months, Microsoft may also dish out a number of non-security related fixes to its Surface Pro and Surface RT tablets.

Any machines at home or at work with these affected systems will be patched in just under a week when Microsoft releases the software patches and fixes.

The software fixes will be released on April 9 through the usual update channels, such as Windows and Microsoft Update.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

43 comments
Log in or register to join the discussion
  • More swiss cheese to go with that brie

    I guess all that honeymonster nonsense about IE security is just that. Nonsense.

    They'll patch and plug up this leaky ship just like they did when IE6 and IE7 was around. Gee, they're probably some idiots out there still using those too.
    CaviarGreen
    • What colander do you use?

      Which one of these for yor pasta?


      http://www.ubuntu.com/usn/usn-1786-1/
      http://www.ubuntu.com/usn/usn-1787-1/

      http://msisac.cisecurity.org/advisories/2013/2013-007.cfm

      http://support.apple.com/kb/HT5671
      http://support.apple.com/kb/HT5672
      Earthling2
    • CaviarGreen they're probably some idiots out there still using those too.

      Only Loverock Davidson, Owlllnnet1 and Todbottom3 otherwise the smart omes have moved on.
      Over and Out
    • @ Earthling2

      And none of those browsers have the marketshare IE does, so what happens to IE will have a bigger impact out there. That's the price you pay for monopolizing the desktop market and bundling IE in with the OS.

      Besides, it wouldn't surprise me at all if these IE 'fixes' are being plugged due to an existing exploit. Wouldn't surprise me at all...
      CaviarGreen
    • Ha!

      Yeah because releasing patches shows bad security...

      You don't honestly believe that - do you?

      Windows security has improved enormously, there is a reason we talk far more about flaws in Java, Adobe Reader, Flash etc... It's because the base OS has improved hugely (in terms of security).

      Fanboys slinging mud about security really is rather pointless in 2013. All the "big" OS offerings are pretty good in this regard.

      So let's argue about something else, because this ****ing contest seems utterly futile.
      jeremychappell
    • When IE stops being bundled with the OS

      And it's marketshare falls off, then I'll ease off.

      Until then they deserve to be bashed.
      CaviarGreen
      • first time connection

        how do make your first connection to the net without something that comes on the machine, especially if that machine has no ports
        mswift@...
        • first time connection?

          Quite easy. You either go to a EU style choice menu or you go back to the days of FTP.

          Oh that's right. You were a widdle tadpole back in FTP days. Can't possible conceive of IE not being bundled in with Windoze, right? Sur-prise!

          Tunnel vision, boys & girls?

          I believe FTP is still a valid protocol. Let's start using it again.
          CaviarGreen
      • Well, then I guess you'll have to move to the European Union

        Or else have an N or KN version of Windows imported.
        Richard Estes
      • Wow buddy

        You just went full retard right there..
        Zami90
        • Naw, buddy

          You just have to accept that you're a proprietary tool who gets spoon fed by by your bosses in Redmond.

          Go get yourself a spine, tool.
          CaviarGreen
  • So what was Microsoft doing all that time

    ...during IE 10's development? The thing was just released like a month ago for Windows 7 and its already vulnerable. Don't they do security testing before they release these things? It would save a little face if it was released with the patch already. I can understand older versions, but come on!
    adacosta38
    • They were sitting on their fat butts

      Worried about Linux eroding another 1/10th of 1% of their marketshare
      CaviarGreen
    • Deal with it

      Yeah, and?! A modern browser is a huge piece of software, and security updates are really a given at this point. IE 10 is a nice browser, with impressive speed and good standards support. So it needs a patch - assuming there are no "in the wild exploits" it seems fine. While it is tempting to expect Microsoft to never have to issue a patch for anything that's "new", that really isn't how software engineering is.
      jeremychappell
      • That's besides the point

        They invented swiss cheese. Now they have to deal with it. IE10 is nothing more than lipstick on an old pig that's getting tired and creaky by now.
        CaviarGreen
        • Just like your argument

          Time for something new
          ye
        • you are a slow pig.....

          ....why didn't you point out these vulnerabilities before MS came out with them?

          That's right.. because you didn't have a clue...
          Snarfiorix
          • ....why didn't you point out these vulnerabilities before MS came out with

            Didn't have to. Swiss cheese is a fact of life at Micro$oft. They can't create cheese without those big air pockets showin' through

            lol...
            CaviarGreen
        • Win8

          did you read the part about Win8 not being affected????
          mswift@...
          • Read more carefully

            Mswift,

            You need to read the article more carefully, because Zack Whittaker said, "The second critical update affects Windows XP (Service Pack 3), Windows Vista (Service Pack 2) and Windows 7 — but not Windows 8 or Windows RT-based devices, such as Surface tablets." What that means is the patch is only being applied to those versions of Windows, because it's the only ones they have figured out how to fix so far. Nowhere does it say in the article that any version of Windows 8 isn't vulnerable to the same security problem. My guess is we can expect MS to fix the problem sometime in the near future, but don't ask me how soon, as I don't work for them.
            jsalakar@...